本文为看雪论坛优秀文章
看雪论坛作者ID:dolphindiv
一
#include<stdio.h>
#include<stdlib.h>
int main(){
int *p1 =malloc(8);
int *p2 =malloc(8);
fprintf(stderr,"malloc two fastbin chunk: p1=%p p2=%p\n",p1,p2);
void * p3 = malloc(0x500); //malloc large chunk from top chunk
void * p4 = malloc(0x8); //void the freed large chunk consolidated with top chunk
void * p5 = malloc(0x600); //malloc another large chunk
void * p6 = malloc(0x8); //void the freed large chunk consolidated with top chunk
free(p3); //free p3 into unsortedbin
free(p5); //free p5 into unsortedbin
void * p7 = malloc(0x550); //malloc large chunk, remove p3 p5 into largebin
fprintf(stderr,"malloc large chunk:p7=%p\n",p7);
}
二
使用s命令进入 malloc.c进行单步调试。
根据前面计算的largebin idx,计算出largebin的头结点0x7ffff7dce0e0 ,这个头结点指向大小为0x500的chunk(0x555555756290),显然这个大小小于用户申请的大小,3919至3921行的判断条件不满足。
程序执行3987行,对idx进行加1操作,并计算出下一个largebin的头结点。
看雪ID:dolphindiv
https://bbs.pediy.com/user-home-717768.htm
# 往期推荐
2. Android漏洞挖掘三板斧——drozer+Inspeckage(Xposed)+MobSF
球分享
球点赞
球在看
点击“阅读原文”,了解更多!